Mydoom worm is now the worst email worm incident in virus history

The Mydoom email worm, which was first found on January 26th, 2004, has already spread more than Sobig.F. The Sobig.F worm spread massively in August 2003 and until now has held the title of the fastest spreading email worm in history. Email worms are currently the most common virus type in the world. Automatic network worms can spread even faster, but they are not nearly as common.

There are three main reasons behind the fast outbreak of Mydoom:

1. Social engineering: the worm masks the infected emails to look like system error messages, prompting people to click on them. Also, some of the infected attachments are inside ZIP archives, which might seem less dangerous to users.
2. Time zones: Unlike most other recent email worm outbreaks, Mydoom was found in the middle of business hours in USA and several large corporate networks got infected immediately.
3. Aggressive collection of email addresses: in addition of sending itself to email addresses found from users’ files, the worm also creates new addresses by guessing common user names and prepending them to domain names of found email addresses. It can also bypass some of the tricks people use to hide their email addresses from spammers.

Although Mydoom (aka Novarg) is now very widespread, it does not pose an immediate threat to infected computers. Mydoom launches a worldwide denial-of-service attack from every infected computer against the website WWW.SCO.COM, which belongs to SCO, a well known Unix vendor. In fact, some have already nicknamed the virus “ScoBig”. However, this attack should not affect the rest of the internet.

This attack is programmed to start on Sunday, February 1st, at 16:09:18 UTC. The significance of this exact time is not known. It should also be noted that SCO’s web site has suffered from several denial-of-service attacks over the last months, but none of them have been done by using viruses. It’s also possible the attack against SCO is just a smokescreen to misdirect attention away from the backdoor component in the virus – which is most likely included in order to facilitate sending of spam email messages.